White-hat hackers to the rescue
By: Nilesh Jain, Vice President of South East Asia and India, Trend Micro
Research and development are two globally accepted business functions across sectors, and cybersecurity is no stranger to this. The recent SingHealth incident and the British Airways data breach that affected 1.5 million Singaporeans and 380,000 customers globally respectively shows how important such research is. With governments imposing stricter online privacy laws, companies can’t afford to lose even basic consumer data like a single date of birth. Given the attack on the Shangri-La hotel where personal data of 3,000 members was leaked, we think the time to place more focus on cybersecurity research is now.
Research plays an integral role in detecting possible security system flaws or exploits, commonly known as bugs, which may lead to future data breaches. Once these bugs have been detected, enterprises can roll out a patch which closes the security hole and will prevent hackers from attacking the system. After all, “prevention is better than cure”, and this rings true for cybersecurity.
In fact, at last year’s cybersecurity week, the Singapore government announced its Bug Bounty Programme that invites local and international ethical computer hackers and experts, known as white-hat hackers, to test selected internet-facing government systems and identify vulnerabilities.
So who exactly are white-hat hackers?
Security experts realized that in, order to protect user data, they needed much more support than their inhouse coders and security teams could provide. An insider perspective was needed to help win this war against cybercrime, and who better for the job than the hackers themselves? Unlike their darker counterparts, white-hat hackers are programmers who devote their time to discover threats and vulnerabilities to protect and defend companies against security attacks. They can be from all walks of life, from students to professionals, who are passionate about coding and cybersecurity.
The job of a white-hat hacker goes beyond just discovering bugs or unknown network threats. According to Bruce Shneier, information security expert, these individuals are successful in finding vulnerabilities as they have a tendency to focus on “how systems fail, how they can be made to fail and… protected against those failures.”
How they help
While the initiative by the Singaporean government to make ethical hacking mainstream is new, there have been other platforms like the Zero Day Initiative (ZDI) which also work with white-hat hackers. ZDI represents the world’s largest vendor-agnostic bug bounty program that encourages white-hat hackers to report and share their findings on zero-day vulnerabilities through a reward and referral scheme. The security vulnerability is labelled as a zero-day exploit, as it takes advantage of a publicly disclosed or unreported software that is exposed to threats such as malware. This is mediated when the affected vendor provides a patch to fix the issue. The more exploits discovered through additional research, the higher the monetary compensation received.
How it works
Should a white-hat hacker submit a zero-day exploit to a bug bounty program, they’ll have to go through a process in order to determine the severity of the exploit. Once the vulnerability is identified, the researcher will be contacted by respective program affiliates and cybersecurity vendors to help develop patches for the bug. These also include developing filters to ensure that customers remain protected, while the vendor is addressing the bug in the meantime. Between the date a system vulnerability is found, to when the corresponding patch is released, there is a period during which companies are not protected at all. This is a sensitive period. That’s why, when a white-hat hacker identifies a threat, we recommend virtual patching for immediate protection against potential attacks, until the official patch is released.
In instances such as ZDI, program managers will work closely together with the vendor in question to distribute a security patch and issue a joint advisory to notify the public affected by the vulnerability. Credit for discovering the vulnerability will be rightfully attributed to the original researcher.
Impact on society
The growth of the Zero Day Initiative bug bounty program and other similar research initiatives can help contribute towards a more secured internet community – one where an individual has the freedom to connect and trawl through the net without hesitation, both locally and globally. Without such initiatives, many of these bugs will remain behind closed doors and would likely get sold on the black market for corrupt purposes.
Singapore’s Bug Bounty Program initiative will go a long way towards collectively strengthening our nation’s cyber defense. Besides fostering collaborative spirit among local defenders and safeguarding state-owned assets this initiative will also protect data that belongs to families, friends, and the wider community.
As the threat landscape continues to evolve, vulnerability research programs can help to drive and advance cybersecurity skillsets. By incentivizing vulnerability research, security companies can help ramp up interest within budding white-hat hackers in order to bridge the gap needed and provide research for societal good.